CVE-2026-35452
Received Received - Intake
Unauthorized Log Disclosure in WWBN AVideo CloneSite Plugin

Publication date: 2026-04-06

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/CloneSite/client.log.php endpoint serves the clone operation log file without any authentication. Every other endpoint in the CloneSite plugin directory enforces User::isAdmin(). The log contains internal filesystem paths, remote server URLs, and SSH connection metadata.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35452
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in WWBN AVideo versions 26.0 and prior, specifically in the CloneSite plugin. The endpoint plugin/CloneSite/client.log.php serves the clone operation log file without requiring any authentication, unlike other endpoints in the same plugin directory which require admin privileges. This log file contains sensitive information such as internal filesystem paths, remote server URLs, and SSH connection metadata.

Impact Analysis

Because the clone operation log file is accessible without authentication, an attacker can obtain sensitive internal information about the system. This includes filesystem paths, remote server URLs, and SSH connection details, which could be used to facilitate further attacks, reconnaissance, or unauthorized access.

Compliance Impact

The vulnerability allows unauthenticated access to a log file containing internal filesystem paths, remote server URLs, and SSH connection metadata. This exposure of potentially sensitive internal information could lead to non-compliance with data protection standards such as GDPR and HIPAA, which require safeguarding sensitive data and controlling access to it.

However, the provided information does not explicitly state the impact on compliance with these standards.

Detection Guidance

This vulnerability can be detected by checking if the plugin/CloneSite/client.log.php endpoint is accessible without authentication on your WWBN AVideo installation. Since this endpoint serves the clone operation log file without requiring admin privileges, you can attempt to access it directly via HTTP requests.

  • Use curl or wget to request the URL: curl -I http://your-avideo-domain/plugin/CloneSite/client.log.php
  • Check if the response status is 200 OK and if the content contains internal filesystem paths, remote server URLs, or SSH connection metadata.
  • Scan web server logs or use web vulnerability scanners to identify unauthenticated access to this endpoint.
Mitigation Strategies

To mitigate this vulnerability immediately, restrict access to the plugin/CloneSite/client.log.php endpoint to authorized users only.

  • Apply authentication checks similar to other endpoints in the CloneSite plugin directory, enforcing User::isAdmin() or equivalent.
  • If possible, restrict access to this endpoint via web server configuration (e.g., IP whitelisting or authentication).
  • Update WWBN AVideo to a version later than 26.0 where this issue is fixed.
  • Avoid exposing sensitive log files publicly to prevent leakage of internal filesystem paths and SSH metadata.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35452. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart